Guest user Created: Jun 23, 2016 Last commented: Jun 23, 2016

Risk assessment of vendor who is ISO 27001 certified

I have another question about our Risk Assessment. If we have information assets that are being stored by a vendor that is ISO 27001 certified, how does that impact our risk assessment? I know that I will still need to do an assessment of the areas that we directly have control over (or what is required of us), but are we required/able to do additional research to ensure that the areas that are out of our control are done properly? For example, we won’t have control over their physical servers, but there is a risk that their server loses power, which could in turn mean that we lose access to our data (at least temporarily).

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Jun 23, 2016

Answer:

When assessing the risk of third-party services you have to assess the ability of those vendors to protect confidentiality, integrity and availability of your data that they are handling. Of course, if they are ISO 27001 certified, this will mean that the risks are probably lower; however this is not the only criteria, you should also check out what does your agreement with them say, what is their reputation, what are other customers saying, check if they have some other certificates, etc.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 23, 2016

Expert Advice Community